BlackNurse attack: 1 laptop can DoS some firewalls, bring down big servers

Researchers warned that a low-volume BlackNurse DoS attack launched via a single laptop can bring some firewalls to their knees

BlackNurse attack: 1 laptop can DoS some firewalls, bring down big servers
Credit: TDC SOC

An attacker doesn’t need an IoT botnet or massive resources for a denial of service attack to knock large servers offline. Researchers warned that all it takes is one laptop for a “BlackNurse” attack to bring vulnerable Cisco, SonicWall, Palo Alto and Zyxel firewalls to their knees.

Danish researchers at the Security Operations Center of telecom operator TDC described BlackNurse as a low-bandwidth Internet Control Message Protocol (ICMP) attack that “is capable of doing a denial of service to well-known firewalls.”

In their report (pdf), the researchers wrote:

The BlackNurse attack attracted our attention because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.

The attack leverages ICMP Type 3 “unreachable” messages, specifically ICMP Type 3 Code 3 “port unreachable” messages. Those ICMP messages can overload a firewall CPU and result in a DoS state.

“Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands,” the researchers wrote.

TDC researchers define low bandwidth as a DoS attack of 15 to18 Mbps. “This is to achieve the volume of packets needed, which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN site will no longer be able to send/receive traffic to/from the internet. All firewalls we have seen recover when the attack stops.”

According to the researchers, the following products are affected:

  • Cisco ASA 5506, 5515, 5525 (default settings)
  • Cisco ASA 5550 (legacy) and 5515-X (latest generation)
  • Cisco Router 897 (can be mitigated)
  • SonicWall (misconfiguration can be changed and mitigated)
  • Some unverified Palo Alto
  • Zyxel NWA3560-N (wireless attack from LAN side)
  • Zyxel Zywall USG50

Note:

We see the Cisco ASA firewall 55xx series to have the biggest problems. Even if you deny all ICMP traffic to the firewalls, they still suffer from the DoS attack, with as little as 4Mbit of traffic.

TDC’s report includes suggested mitigations and SNORT IDS rules to detect BlackNurse attacks. Alternatively, a security engineer for OVH posted proof-of-concept code on GitHub to test if equipment is vulnerable to BlackNurse.

In a post titled “The 90's called and wanted their ICMP flood attack back,” independent software vendor NETRESEC published detailed analysis of the attack. They pointed out that the Cisco ASA 5500 manual recommends granting permission for ICMP unreachable message Type 3, but TDC recommended denying “ICMP Type 3 messages sent to the WAN interface of Cisco ASA firewalls to prevent to the BlackNurse attack.”

In response to TDC's BlackNurse report, Palo Alto published an advisory and list of recommendations.

The SANS Internet Storm Center also discussed the attack and what you should do.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.